\documentclass[A4,12pt]{article}
\usepackage{times}
\usepackage{enumerate}
\usepackage{amsmath}
\usepackage{graphicx}
%\usepackage{setspace}
%\doublespacing
%\numberwithin{equation}

\begin{document}
%
% paper title
% can use linebreaks \\ within to get better formatting as desired
\title{An Efficient and Untraceable Smart Card Based Remote User Authentication  Protocol}

\author{Chin-Chen Chang, Hai-Duong Le, Chia-Yin Lee, Chin-Hsiang Chang}% <-this % stops a space

% make the title area
\date{}
\maketitle

\begin{abstract}
%\boldmath

\textbf{Keywords:} authentication, key agreement, untraceability, anonymity, smart card, mobile communication
\end{abstract}

\section{Introduction}
	
	The notation used in this papers are listed here:

	\begin{tabular} {l p{10cm}}
	$\mathcal{U}$ & the user \\
	$\mathcal{S}$ & the remote server \\ 
	$\mathcal{A}$ & the adversary \\ 
	$ID$ & the identity of $U$ \\
	$PW$ & the password of $U$ \\
	$x$ & a long term secret key of $S$ \\
	$h(\cdot)$ & a public one-way hash function \\
	$r$, $r'$, $n$ &  two random numbers \\
	
	\end{tabular}

\section{Related Work}

\subsection{Review of Yeh et al.'s Scheme}
In this section, we first review Yeh et al.'s second remote user authentication protocol. Then, we analyze the scheme and point out the inherent weaknesses in it.


\subsubsection{Registration Phase}
%\begin{enumerate}[Step 1]
%\item  $\mathcal{U} \rightarrow \mathcal{S}$: $\{ID, h(PW) r\}$
%\item $\mathcal{S} \rightarrow \mathcal{U}$: $\{r, N, Y, h(\cdot)\}$
%\end{enumerate}
A user $\mathcal{U}$ registers to the server $\mathcal{S}$ by sending his identity $ID$, the hash value of his password $h(PW)$, and a random number $r$ to the server over a secure channel. A smart card containing $\{r, N, Y, h(\cdot)\}$ is issued to the user, where $N=h(r \| x) \oplus h(PW)$, $Y=h(ID \| h(r \| x))$, and $x$ is the server's long term secret key. 

\subsubsection{Login Phase}
The user starts login process by inserting his smart card into a card reader, then provides the system with his identity $ID$ and password $PW$. The smart card first verifies the user's identity and password by computing $Y'=h(ID \| h(r \| x)')$, where $h(r \| x)' = N \oplus h(PW)$. If $Y'$ is equal to $Y$, the smart card continues the login procedure; otherwise, it rejects the user's login request. 

After verifying the user's identity and password, the smart card helps the user to login into the server $\mathcal{S}$ as follows:

\begin{enumerate}[Step 1.]
\item The smart card chooses a nonce $n$ and computes $K = h(r \| x)' \oplus n$, $L = ID \oplus h(h(r \| x)'  \| n)$, and $CID = h(ID \| n)$. It then sends the request login message $\{CID, r, K, L\}$ to the server $\mathcal{S}$.

{\bf Message 1.}  $\mathcal{U} \rightarrow \mathcal{S}$: $\{CID, r, K, L\}$


\item Upon receiving the request from $\mathcal{U}$, the server computes $M = h(r \| x)$ and  $n' = M \oplus K$. The user's identity is derived by computing $ID' = h(M \| n') \oplus L$. Then, the server verifies the user by checking whether $CID$ is identical to $CID'$, where $CID' = h(ID' \| n')$ . If they are equal, $\mathcal{U}$ is legitimate; otherwise, the login request is rejected. In order to prove its identity, $\mathcal{S}$ sends the reply containing $a' = h(h(n' \| ID \| M))$ to $\mathcal{U}$.

{\bf Message 2.}  $\mathcal{S} \rightarrow \mathcal{U}$: $\{a'\}$

\item After the smart card receives the reply, it attests the server by verifying $a'$ against $a = h(h(n \| ID \| h(r \|x)'))$. If they are the same, the smart card trusts that $\mathcal{S}$ is genuine. 
\end{enumerate}
Eventually, both the server $\mathcal{S}$ and the user $\mathcal{U}$ successfully authenticate each other. They also compute $SK =h(h(n) \| h(r \| x))$ as their shared session key.


\subsubsection{Password Changing Phase}
Before changing the user's password, the smart card verifies the user $\mathcal{U}$ in the same way it does in login phase. Then, the user enters his new password $PW_{new}$. The smart card changes the password $PW$ to the new one by replacing $N$ with $N_{new} =  N \oplus h(PW) \oplus h(PW_{new})$ in its memory.

\subsection{Weaknesses of Yeh et al.'s Scheme}

\subsubsection{Replay Attack}

\subsubsection{Masquerade Attack}

\subsubsection{Off-line Password Attack}

\section{The Proposed Scheme}

\subsection{Registration Phase}
The registration phase consists of three steps:
\begin{enumerate}[Step 1.]
\item At the beginning of this phase, the user $\mathcal{U}$ first chooses a password $PW$ and a random number $b$. He then submits the $ID$ and $h(PW \| b)$ to the server $\mathcal{S}$ over a secure channel.
\item Upon receiving the registration request from $\mathcal{U}$, the server chooses a random number $r$ and computes $M_1 = h(r \| x) \oplus h(PW \| b)$, and $M_2 = h(ID \| x) \oplus h(PW \| b)$, where $x$ is the long-term secret of the server. Next, $\mathcal{S}$ issues a smart card containing $\{r, M_1, M_2, h(\cdot)\}$ to $\mathcal{U}$.
\item After receiving the smart card, the random number $b$ is written into the card by the user. Finally, the smart card's memory holds $\{b, r, M_1, M_2, h(\cdot)\}$.
\end{enumerate}
\subsection{Login Phase}

\begin{enumerate}[Step 1]

\item To login into the server $\mathcal{S}$, the user $\mathcal{U}$ inserts his smart card into the card reader and provides his identity $ID$ and password $PW$. The smart card derives $h(r \| x)' = M_1 \oplus h(PW \| b)$ and $h(ID \| x)' = M_2 \oplus h(PW \| b)$. Next, it chooses a random nonce $n$ and sends the login request message with the parameters $\{r, N_1, N_2\}$ to the server $S$, where $N_1 = h(r \| x)' \oplus n$, $N_2 = h(n \| r)$.

{\bf Message 1.}  $\mathcal{U} \rightarrow \mathcal{S}$: $\{r, N_1 = h(r \| x)' \oplus n, N_2 = h(n \| r)\}$
\item Upon receiving the login request from $\mathcal{U}$, the server computes $h(r \| x)$ and derives $n' = N_1 \oplus h(r \| x)$. Then, it verifies $h(n' \| r)$ against $N_2$. If they are identical, $\mathcal{S}$ chooses a random number $r_{new}$ and computes $P_1 = h(n' \| h(r \| x)) \oplus r_{new}$, $P_2 = h(r_{new} \| x) \oplus h(n')$, and $P_3 = h(n' \| h(r_{new} \| x) \| r_{new})$. Afterwards, the server sends the reply containing $\{P_1, P_2, P_3\}$ to the user.

{\bf Message 2.}  $\mathcal{S} \rightarrow \mathcal{U}$: $\{P_1 = h(n' \| h(r \| x)) \oplus r_{new}, P_2 = h(r_{new} \| x) \oplus h(n'), P_3 = h(n' \| h(r_{new} \| x) \| r_{new})\}$
\item Once receiving the reply message from the server, the smart card obtains $r_{new}' = P_1 \oplus h(n \| h(r \| x)')$, $h(r_{new} \| x)' = P_2 \oplus h(n)$. It computes and checks whether $h(n \| h(r_{new} \| x)' \| r_{new}')$ is equal to $P_3$ or not. If they are equal, the smart card believes that the server is authentic; otherwise, it terminates the session. Once it confirms the authenticity of $\mathcal{S}$, it computes the parameters $N_3 = ID \oplus h(n \| r_{new}')$, and $N_4 = h(n \| h(ID \| x)' \| r_{new}' )$. The smart card also calculates the session-key $SK = h(n \| ID \| r_{new}')$. And then, it forwards the message with the parameters $\{N_3, N_4\}$ to the server. 

{\bf Message 3.}  $\mathcal{U} \rightarrow \mathcal{S}$: $\{N_3 = ID \oplus h(n \| r_{new}'), N_4 = h(n \| h(ID \| x)' \| r_{new}' )\}$

After successfully authenticating the server, the smart replaces $r$, $h(r \| x)$ in its memory by $r_{new}'$, $h(r_{new} \| x)'$, respectively.

\item After deriving the user's identity $ID' = N_3 \oplus h(n' \| r_{new})$, the server verifies the parameter $N_4$. If $N_4$ is identical to $h(n' \| h(ID' \| x) \| r_{new} )$, the server believes that $\mathcal{U}$ is a valid user; otherwise, it terminates the sessions. Finally, it computes the session-key $SK = h(n' \| ID' \| r_{new})$.


\end{enumerate}

At the end of login phase, both the server $\mathcal{S}$ and the user $\mathcal{U}$ are authenticated by each other.  Together with mutual authentication, they share the session-key $SK = h(n \| ID \| r_{new})$ for the subsequent communication.


\subsection{Password Changing Phase}
To change the password, the user first logins into the server. After $\mathcal{U}$ is successfully authenticated by $\mathcal{S}$, he provides the smart card with his new password $PW_{new}$. The smart card replaces $M_1$, $M_2$ in its memory with $M_{1new} =M_1 \oplus h(PW \| b) \oplus h(PW_{new} \| b)$, and $M_{2new} = M_2  \oplus h(PW \| b) \oplus h(PW_{new} \| b)$, respectively.
\section{Security Analysis}

\subsection{Overview}
In this section, we will define the setting in which the authenticated key agreement scheme using smart card takes place. Unlike entity authentication in which participants can play equipotent roles, the proposed scheme is specifically designed for client-server communication model. In a client-server system, the clients consume the services which are provided by a server. Normally, not all the services are available for every user of the system; a user's privilege specifies what services he/she can access. Thus, it requires that the server should be able to determine the identity of a user. Moreover, to prevent server spoofing, clients need to confirm the authenticity of the server. Therefore, a server and a client should be able to authenticate each other in client-server model. After confirming the identities of the communication's partners, a shared session-key is generated and used to enforce the confidentiality of the subsequent conversation between the server and a client. 

In our scheme, the smart card is used to help users in the authentication and key agreement protocol. The smart card contains authentication information of the user.

\noindent $\bullet$ Attacking model:

We make a strong assumption that the communication media are controlled by adversaries. They can passively observe all the messages or they can actively remove the messages from the communication channel, redirect the messages to destinations, insert their own message into the channel, and modify the messages. Moreover, if an adversary is able to get hold of a user's smart card, he can derive the identification information from it. 

In passive eavedropping phase, adversaries don't actually affect the communications between the server and its clients; authentication and key agreement are carried out normally. Therefore, we only concern  where the adversaries are active. 


\noindent $\bullet$ Cases:

Our scheme facilitate a two-factor authentication which utilizes password and smart card. We don't consider the case in which an adversary can obtain both the password and the smart card of a user, because he can gain access to the system for sure. We will consider the security of the scheme only in the the following cases:
\begin{enumerate}
\item The adversary only has the transcript of previous communications obtained by eavesdropping.
\item Other then the communication transcript, the adversary also compromise either a user's password or smart card.
\end{enumerate}

\subsection{Authentication in Client-Server Model using Smart Card}

Theorem 1: the protocol is secure in the case there is no compromisation of user's password or smart card. Considering the case where 





Draft:

The objective of an mutual authentication and key agreement scheme is 

The two related and complementary mechanisms that ensure a userIn order to authorize a user  access his/her dedicated services, 

There are certain applications which are available only for registered clients. ; therefore, the server needs to authenticate the clients who request these types of services. To prevent server spoofing, the clients 
\section{Performance Analysis}

\section{Conclusions}

\bibliographystyle{plain}
\bibliography{science}

\end{document}


